Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Transcription

1 Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational awareness of the current workstation 1.2 Use System Internals tools to gain situational awareness of the current workstation Skill 2: Employ commands using Windows Management Instrumentation Command-line 2.1 Use WMIC commands to gain situational awareness of the current workstation Skill 3: Employ commands using Powershell 3.1 Identify the purpose of using Powershell in operations 3.2 Demonstrate basic functionality of Powershell 3.3 Describe the main components of Powershell Skill 4: Develop scripts. 4.1 Discuss the purpose of creating a script 4.2 Create a batch script that will perform basic enumeration of a workstation 4.3 Create Powershell script that will perform basic enumeration of a workstation Section 2: Processes SKILL 5: Define the Windows pre-boot process SKILL 6: Define the Windows boot process SKILL 7: Identify the Windows logon process SKILL 8: Identify Windows processes 8.1 Explain how to find the current status of a Windows process 8.2 Explain the process states and identify why they are important 8.3 Explain process threads and handles

2 8.4 Describe the thread states 8.5 Discuss the differences between processes, threads and handles 8.6 Describe system processes SKILL 9: Analyze the validity of Windows processes 9.1 Identify the importance of the output of command line tools 9.2 Determine the abnormal activities that are taking place on a system based on a process list SKILL 10: Identify different types of malware 10.1 Distinguish between types of malware 10.2 Discuss the purpose and methodology of bots and botnets SKILL 11: Identify aspects of virtualization 11.1 Discuss the importance of virtual machines SKILL 12: Identify the importance of situational awareness 12.1 Explain the situational awareness process 12.2 List ways to gain situational awareness on a remote system 12.3 Explain potential reasons for heightened situational awareness Section 3: Registry SKILL 13: Explain the purpose of Windows Registry 13.1 Explain the purpose and role of Windows Registry and its major functions 13.2 Describe Registry hierarchy organization and primary components SKILL 14: Employ Windows Registry tools 14.1 Identify parts of the Registry using GUI-based tools 14.2 Use command line syntax to query, view, analyze, modify and create Registry values 14.3 Explain when and how changes to the Registry are expected to take effect SKILL 15: Analyze Windows Registry for suspicious activity 15.1 Identify Registry locations that contain forensically relevant information 15.2 Identify Registry locations that can be utilized for persistence 15.3 Perform basic analysis on a Windows system with a compromised Registry

3 Section 4: System Hardening, Auditing and Logs SKILL 16: Identify basic Windows firewall concepts 16.1 Enable Windows firewall settings with the graphical user interface and command line tools 16.2 Describe the different components of Windows firewall SKILL 17: Identify components of New Technology File System (NTFS) 17.1 Describe basic file and folder permissions 17.2 Modify permissions in Windows 17.3 Apply permissions based on users and groups SKILL 18: Define Windows Resource Protection 18.1 Describe Windows Resource Protection 18.2 Identify files that are protected by Windows Resource Protection 18.3 Discuss the security implications of Windows Resource Protection on a compromised system SKILL 19: Define user account control 19.1 Identify the purpose of user account control 19.2 Employ user interface privilege isolation SKILL 20: Analyze Windows system security posture 20.1 Discuss information assurance and information security policies SKILL 21: Identify security products 21.1 Identify host-based security products 21.2 Identify network security products 21.3 Discuss signature based detection 21.4 Discuss heuristic based detection SKILL 22: Define Windows auditing 22.1 Explain why audit policies are important 22.2 Explain the functionality of the main logs 22.3 Discuss audit policy settings

4 22.4 Identify the events that get audited SKILL 23: Configure the audit policy for anomalous activity 23.1 Use GUI tools to view policy settings 23.2 Use command line tools to view policy settings SKILL 24: Analyze event logs for anomalous activity 24.1 Identify the locations of logs on the Windows system 24.2 Identify events that would be audited and why 24.3 Employ command line tools to view event logs Section 5: Windows Networking SKILL 25: Identify Windows networking features 25.1 Describe Server Message Block (SMB) 25.2 Explain the purpose of mailslots 25.3 Describe NetBIOS 25.4 Distinguish hostnames from NetBIOS names 25.5 Explain Windows network naming schemes 25.6 Define host name resolution 25.7 Define remote procedure call (RPC) 25.8 Describe Group Policy Objects 25.9 Perform Group Policy Object queries through the command line Modify Group Policy Objects through the command line SKILL 26: Perform basic network analysis on a Windows machine 26.1 Perform basic network analysis using built-in tools 26.2 Describe sockets 26.3 Identify services associated with listening ports 26.4 Assess security implications of listening ports and established connections SKILL 27: Analyze security identifiers 27.1 Identify the purpose of security system components

5 27.2 Explain how access tokens are important for security 27.3 Explain security identifiers and how they are generated 27.4 Locate a SID in the Windows Registry and associate it with a user profile 27.5 Identify built-in Windows user accounts 27.6 Identify the differences between local and domain accounts 27.7 Describe common user rights and the rights assigned to built-in groups SKILL 28: Identify Active Directory basics 28.1 Identify the Active Directory Schema and Global Catalog 28.2 Describe the features of Active Directory 28.3 Explain the logical and physical structure of Active Directory 28.4 Describe functions of the resources associated with Active Directory 28.5 Employ command line tools to gain information about a system or network Section 6: Windows Tactical Survey SKILL 29: Describe the phases of Incident Response 29.1 Identify what occurs in the Preparation phase of Incident Response 29.2 Identify what occurs in the Identification phase of Incident Response 29.3 Identify what occurs in the Containment phase of Incident Response 29.4 Identify what occurs in the Investigation phase of Incident Response 29.5 Identify what occurs in the Eradication phase of Incident Response 29.6 Identify what occurs in the Recovery phase of Incident Response SKILL 30: Describe order of volatility 30.1 Discuss the factors involved when considering order of volatility 30.2 Assess the order of volatility during an incident SKILL 31: Analyze the enumeration process 31.1 Identify baseline knowledge on a machine 31.2 Gather baseline knowledge on a machine 31.3 Discuss the differences between malicious and normal activity

6 31.4 Characterize system features through enumeration 31.5 Identify scheduled tasks that may affect the purpose or activity on a machine 31.6 Explain what should be assessed during enumeration of the environment 31.7 Describe how to detect and enumerate malware SKILL 32: Discuss the documentation involved in a tactical survey 32.1 Identify the importance of operations notes (Op Notes) 32.2 Discuss the components of a report SKILL 33: Use enumeration information to analyze courses of action 33.1 Discuss the primary factors for recommending a course of action based on enumeration 33.2 Identify the common vulnerabilities that could change the course of a mission 33.3 Discuss the development of courses of action Linux Operating Systems Section 1: Core Features SKILL 1: Identify common shells 1.1 Describe common shells and their differences 1.2 Define common shell modes, features and functions SKILL 2: Employ commands using common shells 2.1 Demonstrate basic familiarity with the command line interface 2.2 Describe environment initialization and implications 2.3 Demonstrate appropriate use of pipes and redirection 2.4 Explain the fundamentals of Boolean logic 2.5 Identify methods of gaining more information about commands and switches SKILL 3: Analyze the Linux file system

7 3.1 Describe file system hierarchy 3.2 Describe file system ownership properties 3.3 Discuss file system permissions 3.4 Discuss file system timestamps 3.5 Discuss file system attributes 3.6 Employ commands to search the file system 3.7 Describe regular expressions 3.8 Create regular expressions to find data within in the file system 3.9 Identify the information that a regular expression will return Section 2: Boot Processes SKILL 4: Describe the Linux boot process 4.1 Identify components of the boot process 4.2 Explain the post kernel boot process 4.3 Describe boot process differences across Linux variants 4.4 Describe partitions SKILL 5: Assess boot configuration files 5.1 Identify components of the boot configuration file 5.2 Identify system changes after modification of the boot configuration file Section 3: Scripts & Processes SKILL 6: Identify Linux processes 6.1 Identify common processes for Linux startup 6.2 Identify common processes for Linux machine 6.3 Employ commands to enumerate processes

8 6.4 Explain the functionality of daemons 6.5 Discuss orphaned and defunct processes 6.6 Identify the purpose of apt/aptitude 6.7 Evaluate the validity of Linux processes SKILL 7: Develop shell scripts 7.1 Demonstrate basic familiarity with shell scripting 7.2 Explain variables and variable manipulation 7.3 Employ commands for string manipulation 7.4 Identify hashing and file hashes 7.5 Create a bash script to perform basic enumeration on a Linux machine SKILL 8: Identify Linux networking features 8.1 Describe the local name resolution process on a Linux host 8.2 Describe the difference between regular and raw sockets 8.3 Identify basic network services for Linux 8.4 Employ commands to gather network information 8.5 Enumerate active connections on a Linux machine 8.6 Describe the advantages and disadvantages of Samba 8.7 Explain the functionality of telnet 8.8 Perform a file transfer using telnet 8.9 Analyze network connections using Linux command line tools Section 4: Auditing & Logging SKILL 9: Identify auditing activities 9.1 Explain system logging 9.2 Identify application logging 9.3 Explain authentication and authorization logs SKILL 10: Identify actions that contribute to log files

9 10.1 Describe the actions that contribute to entries in log files 10.2 Analyze log files for anomalous activity Section 5: Linux Exploitation SKILL 11: Discuss the reasons to establish permanent presence 11.1 Define permanent presence 11.2 Describe the clean-up process associated with your activity 11.3 Identify indicators and symptoms of compromise 11.4 Develop a methodology for the enumeration of a compromised system SKILL 12: Analyze different types of rootkits and backdoors 12.1 Discuss and define the main types of backdoors 12.2 Discuss and define the main types of rootkits 12.3 Identify different backdoor persistence techniques 12.4 Describe backdoor communication methods 12.5 Describe methods to detect and mitigate rootkits 12.6 Demonstrate how rootkits can be used to provide false information to a user SKILL 13: Explore Linux Exploitation tools 13.1 Discuss shell code 13.2 Identify remote shell code execution 13.3 Define credentials 13.4 Perform credential cracking 13.5 Identify purposes for Metasploit 13.6 Define rainbow tables 13.7 Identify the purposes for custom malware 13.8 Identify zero configuration networking

10 Networking Section 1: Network Discovery SKILL 1: Identify core networking features 1.1 Describe data link protocol 1.2 Describe Layer 2 switching concepts 1.3 Explain how virtual LANs work 1.4 Describe how internetworking is performed 1.5 Discuss LAN and internetwork traffic and how they interact 1.6 Describe classless versus classful networking 1.7 Explain the differences between IPv4 and IPv6 1.8 Describe address scope 1.9 Describe methods for assigning IP addresses 1.10 Explain how a router works 1.11 Explain the routing process 1.12 Describe features of the Dynamic Host Configuration Protocol (DHCP) 1.13 Describe the differences between DHCPv4 and DHCPv Describe the address resolution protocol (ARP) 1.15 Describe ICMP 1.16 Describe transport protocols 1.17 Describe UDP and when it should be used 1.18 Describe TCP and when it should be used 1.19 Explain why helper protocols are used 1.20 Identify well-known ports 1.21 Describe ephemeral ports 1.22 Explain Domain Name Service (DNS) 1.23 Explain IP routing tables 1.24 Explain the difference between regular and raw sockets

11 SKILL 2: Identify fundamentals of network discovery 2.1 Describe active methods used for network discovery 2.2 Explain the potential mitigation techniques for network discovery 2.3 Explain the network discovery process from an offensive position 2.4 Explain the network discovery process from a defensive position 2.5 Discuss best practices for network analysis 2.6 Identify the items of interest when performing internal reconnaissance SKILL 3: Perform network discovery 3.1 Analyze a router configuration and create a network map Section 2: Analyze Network Traffic SKILL 4: Identify the sections of common packet headers 4.1 Identify the various packet headers 4.2 Explain address auto-configuration 4.3 Describe IPv4 packet structures 4.4 Describe IPv6 packet structures 4.5 Describe common ICMP message types SKILL 5: Identify packet sniffing tools 5.1 Explain Berkley Packet Filters (BPF) 5.2 Use BPFs to view multiple protocol types 5.3 Demonstrate packet decoding features 5.4 Describe network sniffing 5.5 Identify common networking sniffing tools 5.6 Explain why network sniffers are common for remote exploitation and detection 5.7 Identify how sniffing and filtering relate to the DNS protocol 5.8 Discuss passive approaches to network analysis 5.9 Explain how host analysis can be used to gather network information 5.10 Explain server identification

12 5.11 Perform server identification 5.12 Explain how server identification can be used to gather network information 5.13 Explain how packet captures can be used to gather network information 5.14 Describe the principles of p0f 5.15 Discuss the purpose of p0f databases 5.16 Describe the process of sniffing for an operating system 5.17 Assess TTL/hop counts SKILL 6: Identify implications of network traffic captures 6.1 Discuss security implications of major protocol traffic 6.2 Explain why network monitoring tools are deployed 6.3 Explain the impact of network monitoring tools in exploitation operations Section 3: Filtering Devices SKILL 7: Define methodologies of filtering 7.1 Explain the function of different network devices and their recommended position on a network 7.2 Explain how network devices can be used to filter packets 7.3 Describe CISCO standard and extended access control lists (ACL) 7.4 Explain how ACLs are applied 7.5 Describe the limitations of packet filters in terms of directionality 7.6 Discuss firewall types 7.7 Interpret a data flow diagram given a set of firewall rules 7.8 Describe the purpose of iptables 7.9 Explain how iptables are structured 7.10 Describe iptable rules 7.11 Explain the effect of iptable rules on traffic flows 7.12 Contrast iptable chains and ACLs 7.13 Construct iptable rules

13 7.14 Explain network address translation (NAT) 7.15 Explain the functionality of NAT within iptables SKILL 8: Identify filtering devices SKILL 9: Configure filtering devices Section 4: Network Traffic Manipulation SKILL 10: Perform file transfers 10.1 Describe common methods for transferring files 10.2 Describe covert methods for transferring files 10.3 Explain the forward file transfer process with netcat 10.4 Explain the reverse file transfer process with netcat 10.5 Demonstrate the process for transferring files via terminal SKILL 11: Perform network traffic redirection 11.1 Explain how SSH tunneling 11.2 Explain the process of IPv4 tunneling 11.3 Explain the process of IPv6 tunneling 11.4 Contrast redirection with tunneling SKILL 12: Define the principles of tunneling network traffic 12.1 Explain establishment redirectors 12.2 Explain deployable redirectors 12.3 Contrast establishment and deployment redirectors 12.4 Explain the challenges of discovering covert channels 12.5 Use FPIP to perform redirection 12.6 Describe protocol swapping SKILL 13: Identify fundamentals of secure shell protocol 13.1 Discuss SSH tunnels 13.2 Discuss SSH reverse tunnels 13.3 Interpret tunnel diagrams

14 13.4 Describe the process for using SSH to connect to a remote machine 13.5 Explain the purpose of multi-hop tunneling 13.6 Explain the process for multi-hop tunneling 13.7 Describe the appropriate use of of reverse tunnels 13.8 Describe basic port forwarding 13.9 Set up an initial SSH tunnel and add another tunnel using another tool Section 5: Industrial Control Systems (ICS) SKILL 14: Define Industrial Control System (ICS) fundamentals 14.1 Describe ICS hardware 14.2 Describe ICS software 14.3 Discuss industries where ICS is most utilized 14.4 Describe industry processes 14.5 Describe basic operations of ICS 14.6 Identify ICS components SKILL 15: Identify ICS security incidents 15.1 Identify types of attackers to an ICS 15.2 Discuss ICS vulnerabilities SKILL 16: Identify ICS zones 16.1 Explain how defensive measures are used in ICS zones 16.2 Describe the role of zones in defense-in-depth SKILL 17: Identify ICS protocols Section 6: Network Exploitation SKILL 18: Communicate cyberspace operations methodologies 18.1 Describe the mindset of cyber actors 18.2 Describe standard internal exploitation methodologies 18.3 Describe standard external exploitation methodologies

15 18.4 Discuss the importance of testing tools in a controlled environment SKILL 19: Define common frameworks for conducting cyberspace operations 19.1 Describe exfiltration strategies 19.2 Describe the benefits of acquiring critical systems 19.3 Explain the benefits of acquiring domain credentials SKILL 20: Discuss methods to gain access 20.1 Define shellcode 20.2 Define the process for ensuring shellcode executes 20.3 Discuss code injection 20.4 Explain the process of code injection 20.5 Explain methods of detecting code injection 20.6 Describe the processes to escalate privileges SKILL 21: Describe network attacks 21.1 Define network attacks 21.2 Compare network attack strategies 21.3 Discuss collateral effects of cyberspace attacks